|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #54383 extend the usage of session_encode/session_decode
Submitted: 2011-03-25 16:16 UTC Modified: 2013-08-21 02:13 UTC
Avg. Score:4.2 ± 0.9
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: tyra3l at gmail dot com Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 5.3.6 OS:
Private report: No CVE-ID: None
 [2011-03-25 16:16 UTC] tyra3l at gmail dot com
I always wondered about the rationale about the session_encode/decode in it's 
current form, but Chris Shiflett's blogpost made me to open this bugreport:

I would propose two changes:
- add a new optional array argument for session_encode, if it is passed, then 
encode that instead of the $_SESSION array.
- add a new optional boolean argument for session_decode, if that sets to true 
(default is false), then the decoded session array is returned instead of 
inserted to $_SESSION

obviously the documentation about the return variable for session_decode should 
also be updated to reflect this change.

this should be backward compatible change, but it would allow us to 
encode/decode an arbitary serialized session without the need to save and reload 
the contents of the current $_SESSION array.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-02 19:23 UTC] arraypad at gmail dot com
The problem with this is that we currently expect the (possibly custom) serializer to work directly on the $_SESSION array. Changing this would be a big BC break in the session API.
 [2011-07-02 19:32 UTC] tyra3l at gmail dot com
I don't see your point.
as I mentioned, this change would be backward compatible, because by default, the 
behavior would be the same, but it would be possible to encode/decode the session 
from/to an arbitary variable.

 [2011-07-02 20:13 UTC] arraypad at gmail dot com
The BC break would be in the session serializer API. Serializers are expected to read directly from $_SESSION - the PS_ENCODE_LOOP macro is provided to facilitate this but it may not be used - and to write back to $_SESSION. Again we provide php_set_session_var() to facilitate this and the two serializers we bundle use it, but custom serializers may not.

We could provide this feature without the BC break by adding a separate interface, but it wouldn't work for any custom serializers (igbinary for example) until they were updated.

I think the current interface is poor, but I'm not convinced that adding another interface is the answer - I'd rather fix it and accept the BC break, but that would have to wait for a new major version.
 [2012-03-31 03:55 UTC]
-Assigned To: +Assigned To: yohgaki
 [2013-08-21 02:13 UTC]
-Status: Assigned +Status: Closed
 [2013-08-21 02:13 UTC]
php_serialize will be available from PHP 5.5.4.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 24 13:01:31 2024 UTC